[RFE] Basic Authentication Support for Standalone Neutron

Bug #1935847 reported by Rabi Mishra
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
Wishlist
Unassigned

Bug Description

There are number of use-cases where users would like run standalone neutron (at times along with some other services like Ironic for baremetal provisioning), but would still need some basic authentication for users accessing neutron APIs.

Though it's probably possible to deploy neutron with a web server and the configure the web server for basic authentication, it can be a big 'overhead' for small deployments to deploy web server for standalone neutron and configure it for basic auth.

Also, projects like TripleO still does not deploy neutron with httpd+mod_wsgi due to some issues encountered earlier. The current proposal of a light TripleO undercloud with standalone neutron with basic authentication would benefit from this feature.

It's possible to implement a simple basic auth middleware which is non-invasive and provide the desired feature for standalone neutron.

Tags: api rfe
Rabi Mishra (rabi)
tags: added: rfe
Changed in neutron:
status: New → In Progress
Revision history for this message
Rabi Mishra (rabi) wrote :
Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Hello Rabi:

As commented by Akihiro in the patch, this RFE should be discussed in the drivers meeting [1]. You can add your topic in the "On Demans agenda" [2].

Regards.

[1]https://meetings.opendev.org/#Neutron_drivers_Meeting
[2]https://wiki.openstack.org/wiki/Meetings/NeutronDrivers

Changed in neutron:
importance: Undecided → Wishlist
Revision history for this message
Rabi Mishra (rabi) wrote :

Thanks Rodolfo, added.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

IMHO neutron is not a place to implement features provided by web servers like this. I see two reasons below:

- This kind of feature is already suppored by web servers and neutron API can be deployed via WSGI. Or you can apply basic auth via proxy (for example with nginx). They have more users so features like this are well tested. OpenStack community has improved WSGI support to leverage web server features to avoid duplicating/re-implementing features achieved in web servers.

- Another reason is from the perspective of WSGI middleware. Adding a middleware to support the basic auth is another way (when you would like to avoid using a web server or a proxy suggested in the first point). Even in this case, neutron is still not a project which implements web server features. Such middleware can be hosted/developed separately from neutron. I see at least one middleware for WSGI basic auth [1]. If existing middleware(s) does not satisfy your requirements, I would suggest to develop a new middleware outside of the neutron repo (of course it can be hosted anywhere) and publish it to PyPI. Anway, a deployment who would like to use it can configure neutron api-paste to include a middleware in the middleware pipeline to achieve your requirement.

My first impression is that it does not fit into neutron at least.

[1] https://github.com/mvantellingen/wsgi-basic-auth

Akihiro Motoki (amotoki)
tags: added: api
Revision history for this message
Rabi Mishra (rabi) wrote :

Hi Akihoro,

Thanks for the feedback.

I agree that there can be number of ways basic-auth can be implemented. However, as I mentioned in my report, this is mostly for "standalone neutron" use-cases where having a webserver/proxy etc is an overhead and not feasible and there is a valid use-case for it in TripleO undercloud.

let's discuss tomorrow.

Revision history for this message
Rabi Mishra (rabi) wrote :

I think there are some gaps and issues for deploying neutron with httpd+mod_wsgi. Looks like for those reasons both TripleO[1] and kolla-ansible[2] don't deploy that way (unlike other services). Therefore I don't see that's an feasible option for TripleO without fixing those issues in neutron.

I've encountered a few initial issues deploying neutron with httpd+mod_wsgi.

1. There is this confirmed bug[3] of keystonemiddleware issue with neutron. I did hit that issue as you can see here[4][5]

2. There is no way to specify multiple config files or config-dirs[6] (for plugins) as required by many of the production deployments.

I've been told that there are more permissions and selinux issues.

[1] https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/neutron/neutron-api-container-puppet.yaml#L421

[2] https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/neutron/templates/neutron-server.json.j2#L2

[3] https://bugs.launchpad.net/neutron/+bug/1864418

[4] https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_44a/800422/2/check/tripleo-ci-centos-8-scenario007-standalone/44a3b0a/logs/undercloud/var/log/containers/neutron/app.log

[5] https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_8fc/800422/5/check/tripleo-ci-centos-8-scenario000-multinode-oooq-container-updates/8fce952/logs/undercloud/var/log/containers/neutron/app.log

[6] https://github.com/openstack/neutron/blob/master/neutron/server/__init__.py#L28-L35

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Let's discuss it in the next drivers meeting on Friday 23.07.2021

tags: added: rfe-triaged
removed: rfe
Revision history for this message
Oleg Bondarev (obondarev) wrote :

Is this new basic auth middleware specific for Neutron? Could it be used by other projects as well (potentially)?

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

We discussed that RFE today on the drivers meeting and we agreed to not accepting it for Neutron. We think that better place for such middleware would be oslo or maybe some new repository.

tags: added: rfe
removed: rfe-triaged
Changed in neutron:
status: In Progress → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by "Rabi Mishra <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/800410

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.